Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Forcegid doesn't seem to work #856

Open
superbspeed opened this issue Oct 17, 2024 · 1 comment
Open

Forcegid doesn't seem to work #856

superbspeed opened this issue Oct 17, 2024 · 1 comment

Comments

@superbspeed
Copy link

What happened:

Access to the SMB share is not restricted per gid:

[admin@mgmt01 fsx]$ k exec -it smb-test -n dev -- bash
groups: cannot find name for group ID 1114200513
groups: cannot find name for group ID 1114304631
I have no name!@smb-test:/$ id
uid=1114301531 gid=1114200513 groups=1114200513,1114304631
I have no name!@smb-test:/$ cd /ClincPharm/
I have no name!@smb-test:/ClincPharm$ ls -la
total 0
drwxrwx--- 2 root 1114304632  0 Oct  2 19:36 .
drwxr-xr-x 1 root root       47 Oct 17 10:25 ..
drwxrwx--- 2 root 1114304632  0 Oct  2 19:34 Restricted
I have no name!@smb-test:/ClincPharm$ cd Restricted/
I have no name!@smb-test:/ClincPharm/Restricted$ touch file.txt
I have no name!@smb-test:/ClincPharm/Restricted$ ls -la
total 0
drwxrwx--- 2 root 1114304632 0 Oct 17 10:38 .
drwxrwx--- 2 root 1114304632 0 Oct  2 19:36 ..
-rwxrwx--- 1 root 1114304632 0 Oct 17 10:38 file.txt

What you expected to happen:
Mount options gid and forcegid to work by restricting access only to users in the gid. In this case the user should have been denied access to the share.

How to reproduce it:

apiVersion: v1
kind: PersistentVolume
metadata:
  annotations:
    pv.kubernetes.io/provisioned-by: smb.csi.k8s.io
  name: pv-smb-bu-clinpharm
spec:
  capacity:
    storage: 100Gi
  accessModes:
    - ReadWriteMany
  persistentVolumeReclaimPolicy: Retain
  storageClassName: smb
  mountOptions:
    - dir_mode=0770
    - file_mode=0770
    - gid=1114304632
    - forcegid
    - noperm
    - mfsymlinks
    - cache=strict
    - noserverino  
  csi:
    driver: smb.csi.k8s.io
    volumeHandle: datastore.mydomain.com/BU/ClincPharm
    volumeAttributes:
      source: //datastore.mydomain.com/BU/ClincPharm
    nodeStageSecretRef:
      name: smbcreds
      namespace: default
	  
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: fsx-windows-clinpharm
  namespace: dev
spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 100Gi
  volumeName: pv-smb-bu-clinpharm
  storageClassName: smb

---
apiVersion: v1
kind: Pod
metadata:
  name: smb-test
  namespace: dev
spec:
  securityContext:
    runAsUser: 1114301531
    runAsGroup: 1114200513
    supplementalGroups:
    - 1114304631
  volumes:
  - name: clinph
    persistentVolumeClaim:
      claimName: fsx-windows-clinpharm
  containers:
    - name: example-container
      image: ubuntu:jammy
      command: ["sleep"]
      args: ["1000"]
      volumeMounts:
      - name: clinph
        mountPath: /ClincPharm
  restartPolicy: Always

Anything else we need to know?:
The share itself is restricted to the group and the account used in PV (smbcreds) is a member of the group.

Environment:

  • CSI Driver version: v1.16.0
  • Kubernetes version: v1.26
  • OS (pod): Ubuntu 22.04
  • Kernel (pod): 5.10.225-213.878.amzn2.x86_64
  • Others: Running on AWS EKS
@andyzhangx
Copy link
Member

that seems to be the cifs driver issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@andyzhangx @superbspeed